201-k8s-cluster-with-aks-applicationgateway-ingress

TomArcherMsft · TomArcherMsft · commit da2472a399aa · 2021-08-01T19:42:50.000-07:00
diff --git a/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/main.tf b/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/main.tf
@@ -0,0 +1,18 @@
+terraform {
+required_providers {
+  azurerm = {
+    source = "hashicorp/azurerm"
+    version = "~>2.0"
+  }
+}
+backend "azurerm" {
+  resource_group_name = var.resource_group_name
+  storage_account_name = var.storage_account_name
+  container_name = "tfstate"
+  key = "codelab.microsoft.tfstate"
+}
+}
+
+provider "azurerm" {
+features {}
+}
diff --git a/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/output.tf b/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/output.tf
@@ -0,0 +1,36 @@
+output "client_key" {
+    value = azurerm_kubernetes_cluster.k8s.kube_config.0.client_key
+}
+
+output "client_certificate" {
+    value = azurerm_kubernetes_cluster.k8s.kube_config.0.client_certificate
+}
+
+output "cluster_ca_certificate" {
+    value = azurerm_kubernetes_cluster.k8s.kube_config.0.cluster_ca_certificate
+}
+
+output "cluster_username" {
+    value = azurerm_kubernetes_cluster.k8s.kube_config.0.username
+}
+
+output "cluster_password" {
+    value = azurerm_kubernetes_cluster.k8s.kube_config.0.password
+}
+
+output "kube_config" {
+    value = azurerm_kubernetes_cluster.k8s.kube_config_raw
+    sensitive = true
+}
+
+output "host" {
+    value = azurerm_kubernetes_cluster.k8s.kube_config.0.host
+}
+
+output "identity_resource_id" {
+    value = azurerm_user_assigned_identity.testIdentity.id
+}
+
+output "identity_client_id" {
+    value = azurerm_user_assigned_identity.testIdentity.client_id
+}
diff --git a/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/resources.tf b/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/resources.tf
@@ -0,0 +1,211 @@
+# # Locals block for hardcoded names. 
+locals {
+    backend_address_pool_name      = "${azurerm_virtual_network.test.name}-beap"
+    frontend_port_name             = "${azurerm_virtual_network.test.name}-feport"
+    frontend_ip_configuration_name = "${azurerm_virtual_network.test.name}-feip"
+    http_setting_name              = "${azurerm_virtual_network.test.name}-be-htst"
+    listener_name                  = "${azurerm_virtual_network.test.name}-httplstn"
+    request_routing_rule_name      = "${azurerm_virtual_network.test.name}-rqrt"
+    app_gateway_subnet_name = "appgwsubnet"
+}
+
+data "azurerm_resource_group" "rg" {
+    name = var.resource_group_name
+}
+
+# User Assigned Identities 
+resource "azurerm_user_assigned_identity" "testIdentity" {
+    resource_group_name = data.azurerm_resource_group.rg.name
+    location            = data.azurerm_resource_group.rg.location
+
+    name = "identity1"
+
+    tags = var.tags
+}
+
+resource "azurerm_virtual_network" "test" {
+    name                = var.virtual_network_name
+    location            = data.azurerm_resource_group.rg.location
+    resource_group_name = data.azurerm_resource_group.rg.name
+    address_space       = [var.virtual_network_address_prefix]
+
+    subnet {
+    name           = var.aks_subnet_name
+    address_prefix = var.aks_subnet_address_prefix
+    }
+
+    subnet {
+    name           = "appgwsubnet"
+    address_prefix = var.app_gateway_subnet_address_prefix
+    }
+
+    tags = var.tags
+}
+
+data "azurerm_subnet" "kubesubnet" {
+    name                 = var.aks_subnet_name
+    virtual_network_name = azurerm_virtual_network.test.name
+    resource_group_name  = data.azurerm_resource_group.rg.name
+    depends_on = [azurerm_virtual_network.test]
+}
+
+data "azurerm_subnet" "appgwsubnet" {
+    name                 = "appgwsubnet"
+    virtual_network_name = azurerm_virtual_network.test.name
+    resource_group_name  = data.azurerm_resource_group.rg.name
+    depends_on = [azurerm_virtual_network.test]
+}
+
+# Public Ip 
+resource "azurerm_public_ip" "test" {
+    name                         = "publicIp1"
+    location                     = data.azurerm_resource_group.rg.location
+    resource_group_name          = data.azurerm_resource_group.rg.name
+    allocation_method            = "Static"
+    sku                          = "Standard"
+
+    tags = var.tags
+}
+
+resource "azurerm_application_gateway" "network" {
+    name                = var.app_gateway_name
+    resource_group_name = data.azurerm_resource_group.rg.name
+    location            = data.azurerm_resource_group.rg.location
+
+    sku {
+    name     = var.app_gateway_sku
+    tier     = "Standard_v2"
+    capacity = 2
+    }
+
+    gateway_ip_configuration {
+    name      = "appGatewayIpConfig"
+    subnet_id = data.azurerm_subnet.appgwsubnet.id
+    }
+
+    frontend_port {
+    name = local.frontend_port_name
+    port = 80
+    }
+
+    frontend_port {
+    name = "httpsPort"
+    port = 443
+    }
+
+    frontend_ip_configuration {
+    name                 = local.frontend_ip_configuration_name
+    public_ip_address_id = azurerm_public_ip.test.id
+    }
+
+    backend_address_pool {
+    name = local.backend_address_pool_name
+    }
+
+    backend_http_settings {
+    name                  = local.http_setting_name
+    cookie_based_affinity = "Disabled"
+    port                  = 80
+    protocol              = "Http"
+    request_timeout       = 1
+    }
+
+    http_listener {
+    name                           = local.listener_name
+    frontend_ip_configuration_name = local.frontend_ip_configuration_name
+    frontend_port_name             = local.frontend_port_name
+    protocol                       = "Http"
+    }
+
+    request_routing_rule {
+    name                       = local.request_routing_rule_name
+    rule_type                  = "Basic"
+    http_listener_name         = local.listener_name
+    backend_address_pool_name  = local.backend_address_pool_name
+    backend_http_settings_name = local.http_setting_name
+    }
+
+    tags = var.tags
+
+    depends_on = [azurerm_virtual_network.test, azurerm_public_ip.test]
+}
+
+```hcl
+resource "azurerm_role_assignment" "ra1" {
+    scope                = data.azurerm_subnet.kubesubnet.id
+    role_definition_name = "Network Contributor"
+    principal_id         = var.aks_service_principal_object_id 
+
+    depends_on = [azurerm_virtual_network.test]
+}
+
+resource "azurerm_role_assignment" "ra2" {
+    scope                = azurerm_user_assigned_identity.testIdentity.id
+    role_definition_name = "Managed Identity Operator"
+    principal_id         = var.aks_service_principal_object_id
+    depends_on           = [azurerm_user_assigned_identity.testIdentity]
+}
+
+resource "azurerm_role_assignment" "ra3" {
+    scope                = azurerm_application_gateway.network.id
+    role_definition_name = "Contributor"
+    principal_id         = azurerm_user_assigned_identity.testIdentity.principal_id
+    depends_on           = [azurerm_user_assigned_identity.testIdentity, azurerm_application_gateway.network]
+}
+
+resource "azurerm_role_assignment" "ra4" {
+    scope                = data.azurerm_resource_group.rg.id
+    role_definition_name = "Reader"
+    principal_id         = azurerm_user_assigned_identity.testIdentity.principal_id
+    depends_on           = [azurerm_user_assigned_identity.testIdentity, azurerm_application_gateway.network]
+}
+```
+
+resource "azurerm_kubernetes_cluster" "k8s" {
+    name       = var.aks_name
+    location   = data.azurerm_resource_group.rg.location
+    dns_prefix = var.aks_dns_prefix
+
+    resource_group_name = data.azurerm_resource_group.rg.name
+
+    linux_profile {
+    admin_username = var.vm_user_name
+
+    ssh_key {
+        key_data = file(var.public_ssh_key_path)
+    }
+    }
+
+    addon_profile {
+    http_application_routing {
+        enabled = false
+    }
+    }
+
+    default_node_pool {
+    name            = "agentpool"
+    node_count      = var.aks_agent_count
+    vm_size         = var.aks_agent_vm_size
+    os_disk_size_gb = var.aks_agent_os_disk_size
+    vnet_subnet_id  = data.azurerm_subnet.kubesubnet.id
+    }
+
+    service_principal {
+    client_id     = var.aks_service_principal_app_id
+    client_secret = var.aks_service_principal_client_secret
+    }
+
+    network_profile {
+    network_plugin     = "azure"
+    dns_service_ip     = var.aks_dns_service_ip
+    docker_bridge_cidr = var.aks_docker_bridge_cidr
+    service_cidr       = var.aks_service_cidr
+    }
+
+    role_based_access_control {
+    enabled = var.aks_enable_rbac
+    }
+
+    depends_on = [azurerm_virtual_network.test, azurerm_application_gateway.network]
+    tags       = var.tags
+}
diff --git a/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/terraform.tfvars b/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/terraform.tfvars
@@ -0,0 +1,9 @@
+resource_group_name = "<Name of the Resource Group already created>"
+
+location = "<Location of the Resource Group>"
+    
+aks_service_principal_app_id = "<Service Principal AppId>"
+    
+aks_service_principal_client_secret = "<Service Principal Client Secret>"
+    
+aks_service_principal_object_id = "<Service Principal Object Id>"
diff --git a/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/variables.tf b/quickstart/201-k8s-cluster-with-aks-applicationgateway-ingress/variables.tf
